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Abstract — We consider the problem of resource allocation and 
control of multihop networks in which multiple source-destination 
pairs communicate confidential messages, privately from the in- 
termediate nodes. We pose the problem as that of network utility 
maximization, into which confidentiality is incorporated as an 
additional quality of service constraint. We develop a simple, and 
yet provably optimal dynamic control algorithm which combines 
flow control, routing and end-to-end secrecy encoding. In order 
to achieve confidentiality, our scheme exploits multipath diversity 
and temporal diversity due to channel variability. Our end-to- 
end dynamic encoding scheme encodes confidential messages over 
many packets, to be combined at the ultimate destination for 
recovery. We also evaluated our scheme numerically under various 
conditions to show its efficacy. 

I. Introduction 

In some scenarios (e.g., tactical, financial, medical), con- 
fidentiality of communicated information between the nodes 
is necessary, so that data intended to (or originated from) a 
node is not shared by any other node. Even in scenarios in 
which confidentiality is not necessary, it may be dangerous to 
assume that nodes will always remain uncompromised. Keeping 
different nodes' information confidential can be viewed as a 
precaution to avoid a captured node from gaining access to 
information from other uncaptured nodes. 

In this paper, we consider wireless networks in which mes- 
sages are carried between the source destination pairs coop- 
eratively in a multi-hop fashion via intermediate nodes. In a 
multihop network, as data packets are transferred, intermediate 
nodes obtain all or part of the information through directly 
forwarding data packets or overhearing the transmission of 
nearby nodes. This poses a clear problem when transferring 
confidential messages. In this paper, we build provably effi- 
cient algorithms for confidential multiuser communication over 
multihop wireless networks without the source-destination pairs 
having to share any confidential key a priori. The metric we 
use to measure the confidentiality is the mutual information 
leakage rate to the relay nodes, i.e., the equivocation rate. We 
require this rate to be arbitrarily small with high probability and 
impose this in the resource allocation problem formulation via 
an additional constraint. 

To provide the basic intuition behind our approaches and 
how the source nodes can achieve confidentiality from the relay 
nodes, consider the following simple example of a diamond 
network given in Fig. Q] Let the source node have a single 
bit of information to be transmitted to the destination node, 
with perfect secrecy (with mutual information leaked) from 
the relay nodes r\ and r%. The issue is that, the source cannot 
transmit this bit directly over one of the possible paths (through 
r\ or r%), since either r\ or r2 would obtain it, violating the 
confidentiality constraint. This problem can be solved by adding 
random noise (i.e., randomization bit) on the information bit, 




Fig. 1. Diamond network 

and sending the noise and the noise corrupted message over 
different paths, which can then be combined at the destination. 
The details of the process is as follows: 

(1) Let b denote the information bit. The source generates a 
noise bit N at random, with P (N = 0) = P (N = 1) = ± . 

(2) Source node transmits N to relay r\ and b®N to relay r%. 
Then, the relay nodes forward these bits to the destination. 

(3) Destination node reconstructs the original bit by a simple 
xor operation: b = N(B (b ®N). 

Note that with the information available to the relay nodes, 
there is no way that they can make an educated guess about 
the information bit, since they have zero mutual information: 
I(b\N) = I(b;N @b) = 0. Full confidentiality is achieved here at 
the expense of halving of the data rate, i.e., for each information 
bit the source has, the network has to carry two bits to the 
destination. Furthermore, one can see that the existence of 
multiple paths from the source to the destination is crucial to 
achieve perfect secrecy. However, a source cannot route the 
confidential information arbitrarily over the relay nodes. Hiding 
information from the other nodes can be made possible with 
a careful design of end-to-end coding, data routing on top of 
other network mechanisms, flow control and scheduling in order 
for an efficient resource utilization. Clearly, the example is 
highly simplistic and ignores many important issues, which we 
explicitly consider in this paper. In particular: 

(a) To achieve confidentiality, one needs to encode blocks of 
information over multiple packets. We develop a novel adaptive 
end-to-end encoding scheme, which takes feedback from the 
network and chooses the appropriate code rates to maintain 
confidentiality for each block of data. 

(b) In a multihop network, each node possibly overhears the 
same information as it is transmitted over multiple hops. We 
take into account such accumulation of information over multi- 
ple transmissions. Thus, we need to go beyond the scenario 
given in Fig. Q] in which the paths are disjoint and each 
intermediate node has only one path crossing. 

(c) We combine a variety of strategies developed in the con- 
text of information theoretic secrecy with major networking 
mechanisms such as flow control and routing. Such a unifying 
framework is non-existent in the literature as it pertains to 
multihop information transmission. For that purpose, we model 
the entire problem as that of a network utility maximization, in 
which confidentiality is incorporated as an additional constraint 
and develop the associated provably optimal dynamic flow 



control, routing, and scheduling mechanisms. 

(d) We take into account wireless channel variations in our 
scheduling and routing policies as well as end-to-end encoding 
scheme for confidentiality. For that purpose, we assume instan- 
taneous channel state information (CSI) at the transmitters. 

(e) Our attacker model is that of a passive one: while each 
attacker can overhear all the information transmitted and re- 
ceived by a single node, it is not capable of changing the 
content of the information the node forwards, nor does it inject 
phantom messages into the network. In our model, intermediate 
nodes are entities, compliant with network operations as they 
properly execute algorithms, but the messages need to be kept 
confidential from them. 

We address the problem in two parts. In the first part, we 
ignore the delay issue and consider the possibility of encoding 
over very long blocks of information in order to maximize the 
confidential data throughput. For any given encoding rate (not 
necessarily optimized for the network conditions), we provide 
a dynamic network control scheme that achieves a utility, 
provably close to the maximum achievable utility (for those 
particular encoding rates), subject to perfect secrecy constraint, 
i.e., guaranteeing with probability 1 that an arbitrarily low 
mutual information is leaked to the intermediate nodes on the 
confidential message. The main challenges involved in gener- 
alizing the network control problem to multihop networks with 
confidentiality are dynamic end-to-end encoding and multipath 
routing. The confidential message is encoded over many blocks, 
which implies that the time-scale involved in physical-layer 
resource allocation cannot be decomposed from the time scales 
involved in network-layer resource allocation, eliminating the 
time-scale separation assumption of standard dynamic control 
algorithms. This leads to some unique technical issues that were 
not addressed in the existing studies on network resource allo- 
cation. In addition, the existing schemes for wireless multihop 
networks are not concerned with how information ought to be 
spatially distributed in the network |fl~), Additional "virtual" 
queues are defined for the leaked information to other nodes in 
the network to make sure that information from the source node 
is sufficiently spatially distributed in the network. Hence, unlike 
the standard multihop dynamic algorithm where the objective is 
to only increase end-to-end flow rates, in our problem increasing 
the flow rate and keeping confidentiality of the messages appear 
as two conflicting objectives. 

Next, we consider practical delay requirements for each user, 
which eliminates the possibility of encoding over an arbitrarily 
long block. Due to finite codewords, subsequent packets asso- 
ciated with a given secrecy-encoded message cannot be decou- 
pled, eliminating the possibility using standard dynamic control 
algorithms. For the same reason, achieving perfect secrecy for 
all confidential messages is not possible. Consequently, we 
define the notion of secrecy outage, and impose a probabilistic 
constraint on the probability that a message experiences a 
secrecy outage. This time, we also develop a dynamic policy 
to choose the encoding rates for each message, based on 
the instantaneous channel state information, queue states and 
secrecy outage requirements. We observe that proposed scheme 



approaches the optimal rates asymptotically, with increasing 
block size. Finally, we numerically characterize the performance 
of dynamic control algorithms with respect to several network 
parameters. 

Here, it first must be stressed that even though the flow 
control is distributed, the scheduling is still assumed to be 
centralized in this paper. The reason why we design centralized 
algorithm is that the centralized algorithm provides an upper 
bound of network performance and a benchmark to evaluate 
performance of distributed algorithms. However, we note that 
the results of this work can be extended to distributed implemen- 
tations using the approach in [3| at the expense of sacrificing 
some confidential data throughput. The key idea in (3) is to 
introduce regulators at each node, one for each flow passing 
through the node. Regulators are mainly utilized to limit arrivals 
based on the knowledge of average arrival rate. The packets 
are first queued at the regulator, and they are transferred from 
the regulator to the corresponding queue only when the size 
of the regulator is positive. Additionally, we need to keep 
a virtual queue, which keep track of how much information 
is accumulated at intermediate nodes. This time, regulators 
limit the arrival process, and normal and virtual queues are 
responsible for determining scheduling. 

In the following, we develop our dynamic network control for 
confidential multi-hop communications by focusing on wireless 
networks. However, as will be discussed later, the proposed 
framework and developed concepts can be readily applicable 
to wired networks as well. 

II. Related Work 

Since the pioneering work of Wyner 0], there has been 
a wide interest on the variations of the wiretap channel and 
how to provide secrecy in various cases, mainly under the 
single hop setting. To give a few examples on the single hop 
setting, in Q, |6|, opportunistic secrecy was introduced, which 
allows for the exploitation of channel variations due to fading 
to achieve secrecy, even when the eavesdropper has a higher 
average signal-to-noise ratio (SNR). Achieving delay-limited 
secrecy and outage capacity of the wiretap channel were studied 
in Q. Multiuser communication with secrecy using cooperative 
jamming and relaying in the presence of eavesdropper was 
studied in JHJ. The design of the practical codes that approach 
the promised capacity limits was investigated in (9), iflOl . 
Confidentiality in multihop networks were also considered to 
some limited extent. In ifTTl . Ifl2l the secrecy capacity scaling 
problem is addressed. Exploitation of path diversity in order to 
achieve confidentiality from external eavesdroppers is studied 
in fPHl . lfT4ll and for confidentiality via mobility in lfl31 . 

Despite the significant progress in information theoretic se- 
crecy, most of the work has focused on physical layer tech- 
niques. Therefore, our understanding of the interplay between 
the confidentiality requirements and the critical functionali- 
ties of wireless networks, such as scheduling, routing, and 
congestion control remains unlimited. Recently, in |[T6l . we 
have investigated the cross-layer resource allocation problem 
with confidentiality in a cellular wireless network, where users 



transmit information to the base station, confidentially from the 
other users. To our best knowledge, multihop network control 
with confidentiality has not been investigated before. 
III. System Model 

We consider a multi-hop wireless network with K source- 
destination node pairs communicating with each other via 
intermediate relay nodes. Let S and D be the set of information 
ingress and egress nodes in the network, respectively. There 
is no direct connection between the nodes in S and D, and 
messages from a source node are relayed by intermediate nodes 
in the network to the intended destination node. For ease of 
exposition, we consider a set of logical links, L, connecting the 
nodes in the network, i.e., nodes i and j can communicate only 
if link g L. 

All nodes in the network are legitimate nodes. However, each 
source node in S aims to keep its information confidential from 
all other nodes in the network except the intended destination 
node in D. To that end, a source node precodes its message, 
divides it into multiple pieces, and sends separate pieces over 
different paths to the destination. Henceforth, none of the inter- 
mediate relay nodes in the network will accumulate sufficient 
amount of information to decode the confidential message. 

We assume every channel to be iid block fading, with a block 
size of N\ channel uses (physical-layer symbols). We denote the 
instantaneous achievable rate of the channel between nodes ; 
and j in block t by Rij(t), where Rjj(t) is the maximum mutual 
information between the output symbols of node i and input 
symbols of node j. Even though our results are general for 
all channel state distributions, in numerical evaluations, we use 
Gaussian channels, as will be described in Section I VIII 




Fig. 2. A diamond shaped multi-hop multi-path network. 

We assume the wireless transceivers to operate in a half 
duplex fashion, i.e., a node cannot transmit and receive si- 
multaneously. Hence, two links sharing a common ingress or 
egress node cannot be active simultaneously. We define a set of 
links that can transmit simultaneously as a set of concurrently 
active links indexed by e. Also, let E be the collection of 
all sets of concurrently active links. Set E depends on the 
assumed interference model. For example, consider a sample 
multi-hop network as shown in Fig [2] with node-exclusive 
interference model. Examples of set of concurrently active 
links include {(si, 1), (s 2 ,3), (2,di)}, {(s\ , 1), (.$2,3), (2, d 2 )}, 
{(Jl,2),(l,£/i),(3,£fe)}, and {(s 2 ,2), (l,di),(3,d 2 )}. At the be- 
ginning of every block, the scheduler chooses a particular set 
of concurrently active links. We use indicator variable J? e {t) to 
represent the scheduler decision, where ,f e (t) is one if set e is 
scheduled for transmission in block t, and it is zero otherwise. 
By definition, £ fG£ J e {t) < 1 for all t > 0. 



There are K different flows in the network, one for each 
source-destination node pair. Each flow in the network is 
identified by the index of its ingress node, and thus, the network 
flow problem considered in this work can be modeled as a multi- 
commodity flow problem. Let J^fjf) be the indicator function 
taking a value of 1 if link carries commodity s in block 
t. Hence, the total flow rate of commodity s over link in 
block t is: 



Rij(t), if(i,j)ee,S e (t) = l,S i ',(t) = l 



0. 



otherwise 



(1) 



Due to broadcast nature of wireless communications, trans- 
missions are overheard by unintended receivers. At every trans- 
mission, overhearing neighboring nodes accumulate information 
for each commodity s. Let A: be a node overhearing a transmis- 
sion of commodity s over link (i, j), i.e., there is a link (/, k) G L. 
Then, whenever node k is not active transmitting or receiving, 
i.e., no link originating or terminating at node k is scheduled, 
it accumulates fiif) = Rikif) bits of information over block 
t. We assume that the centralized scheduler has the reach to 
instantaneous channel state information, i.e., Rij(t) is available 
causally for each link (i,j). 

Discussion: The perfect secrecy of multihop wireless com- 
munications relies on the fact that individual links experience 
statistically independent fading. The random channel variations 
are then exploited by opportunistic algorithms such as the 
control algorithms presented in Section [V] and |VI] These con- 
trol algorithms can also be used in a wired network setting, 
wherein the random variations in the links are due to the 
congestion control and buffer management mechanisms. The 
main differences in a wired network setting are: All links can 
be concurrently active, which in turn relaxes the scheduling 
constraints to complete set of links in the network; and the 
capacities of the links are constant, i.e., Rij(t) =Rij, for all t. 

IV. End-to-End Achievable Confidential Rates 

In this section, we analyze the achievable confidentiality 
rate for a given source-destination pair, when the sequence 
of scheduling and routing decisions are given. Assume that 
depending on the message length, and routing decisions the 
entire session for commodity s lasts for N s blocks, i.e., the 
destination node receives the complete message at the end of 
N s blocks counted from the beginning of the first block the 
source node started its transmission. This corresponds to a total 
of N = N\N S channel uses. 

Each source node s has a confidential message W s 6 
{ 1 , . . . , 2 J } to be transmitted to an intended destination over 
N channel uses. Let the vector of symbols received by node k 
be Yi, To achieve perfect secrecy, the following constraint must 
be satisfied by node s: for all k, 



^I(W s ,Y s k )<e, asAf 



(2) 



As will be shown shortly, for a given scheduling and rout- 
ing policy, source s achieves a confidential data rate R s 7,n = 
miny^ |/? s — E fj(t) j, where R s is the transmission rate of 



node s. To achieve this set of rates, we use a confidential 
encoding strategy based on random coding and binning ifTTI 
described in the proof of the following theorem. 

Theorem 1: Given scheduling and routing decisions, 
y e (t), S?,(t) for all f > and for all <E L, a confidential 
data rate of 



RP = E 



E Ha 



■max{E[f](t)]}, (3) 



is achievable for source s. 

The proof of this theorem is in Appendix [A] One can 
notice that, if there exists a node j through which all possible 
paths between a given source s and its destination are passing, 



then Rg = for that source s, since E fj(t) is identical to 

E [L(.v,;)gl/4i(0] f° r tnat n °de, This underlines the necessity 
of the existence of multiple paths between a source-destination 
pair in order for them to achieve some non-zero confidential 
data rate. 

Note that, to achieve this confidential data rate of R%, the 
rate of data, composed of the actual confidential bits and the 
randomization bits to confuse the intermediate nodes, carried 
over the network is R s , which is lower bounded as: 



R s > 



E MrfCO 

[s,i)eL 



(4) 



as with probability 1 as N\,N S — > °° for any given 8 > 0. This 
follows directly from strong law of large numbers as 



1 



lim^E E mo 



E MO 

(s,i)eL 



with probability 1, where the expectation is over the achievable 
rates of all links (s, i) G L. 

Before finalizing this section, note that the rate provided 
in Theorem [T] is achieved as the number of blocks N s — > °°. 
This implies that, encoding for confidentiality is done over an 
infinitely-long sequence of blockffl In the next section, we 
provide network mechanisms to maximize a utility function over 
infinitely many blocks. Following that, we incorporate a more 
practical constraint of encoding over a finite number of blocks, 
imposing a hard limit on the decoding delay. 

V. Multihop Network Control with 
Confidentiality 

In this section, our objective is to determine a joint scheduling 
and routing algorithm that maximizes aggregate network utility 
while achieving perfect secrecy over infinitely many blocks., 
i.e., N s — > oo. Initially, we assume that messages are incoming 
to a source node encoded a priori at a fixed and given rate that 
is not necessarily optimal, i.e., the rate may not maximize the 
confidential data throughput of the source node . More precisely, 
confidential message of source s is encoded with a fixed rate 
code C(2 NHs ,2 NtXsRs ,N), where the confidential information rate 
of the encoded packet is R[ ,,n = a s R s . We assume end-to-end 

'The number of blocks need to be large enough for sufficient averaging of 
the variations in the channels. 



confidential data rates, {tt s R s , s € S}, to lie in the region of 
achievable end-to-end confidentiality. 

Let U s (x) be utility obtained by source s when the confidential 
transmission rate is x bits/channel use. We assume that U s (-) is 
a continuously differentiable, increasing and strictly concave 
function. There is an infinite backlog at the transport layer, 
which contains the secrecy-encoded messages. In each block, 
source node s determines the amount of encoded information 
admitted to its queue at the network level. Let A s (t) be the 
amount of traffic injected into the queue of source s at block t, 
and x s = limyv^oo 37-Lr As(f) be long term average arrival rate. 
Our objective is to support the traffic demand to achieve a long 
term confidential rate that maximizes the sum of utilities of the 
sources. 

The arrival rate, x s should combine both the confidential 
information and the randomization bits. Hence, for the arrival 
rate of x s , the confidential information rate is a s x s , and source s 
attains a long term expected utility of U s (a s x s ). Recall that the 
rate of information obtained by any intermediate node should 
not exceed the randomization rate, (1 — a s )x s , to ensure perfect 
secrecy. To that end, we consider the following optimization 
problem: 

max V U s (a s x s ) (5) 

A s ( t ),^W,^(0,es 



s.t. x. 



< E 



E MO 

,{i\(s,i)eL} 



E 



E 



E /*y(0 

LOI(U)eL} 



-E 



E 

L{y|(j,i)eL} 



[//«] <{l-a s )x s ,Vs€S,Vj<£S,D, 



(6) 



>0,Vi£S,D (7) 



(8) 



where the expectations are over all channel realizations and 
scheduling decisions. Constraint (O ensures the stability of 
the queues at the source nodes; Constraint dT) is the flow 
conservation constraint at the intermediate nodes, i.e., the rate 
of incoming packets at intermediate node should be smaller that 
the rate of outgoing packets from that node; and Constraint ([8]) is 
the confidentiality constraint, which ensures that the information 
obtained by any of the intermediate nodes does not exceed the 
rate of the randomization message (1 — (X s )x s . 

To solve the optimization problem (|5]l-(|8]l, we employ a cross- 
layer dynamic control algorithm based on the stochastic network 
optimization framework developed in (18), since the objective 
function in (O is a concave function. This framework allows 
the solution of a long-term stochastic optimization problem 
without requiring the explicit characterization of the achievable 
rate regions. 

Let Q s (t) denote the queue size at ingress node s. Each inter- 
mediate node keeps separate queues Q'j(t) for each commodity 
s. The dynamics of the queues are as follows: 



G?(*+l) 



Qs(t) 



m) 



E 

{i\(s,i)eL} 



-Mt) 



(9) 



e m 



E /*J(0. VMS, A 



{;ia,0ei} 



(10) 



where [.]+ denotes the projection of the term to [0,+°°]. 
The constraint in (0 can be represented by a virtual queue, 
strong stability of which ensures that the constraint is also 
satisfied iflSl . i.e., the perfect secrecy is achieved in our case: 

Z){t + 1) = [zj(0 +fj(t)-(l- a s )A s (t)] + (11) 

-0.05in Control Algorithm 1: The algorithm executes the 
following steps in each block t: 

(1) Flow control: For some H > 0, each source s injects A s (t) 
bits into its queues, where 

A s (t) = argmax I HU s {a s A) - Q s {t)A + £ Z)(t)(\- a s )A \ . 

A I m J 

(2) Scheduling: In each block, f, the scheduler chooses the 
set of links e if ,f e (t) = 1 and flow s on the link e e 
if yfj(t) = 1, where 

(s,e)= argmax ( £ (fif(f) - fij. (f))/i&(0 - £ ZjM/Jwf 

Optimality of Control Algorithm: Now, we present our main 
result showing that our proposed dynamic control algorithm can 
achieve a performance arbitrarily close to the optimal solution 
while keeping the queue backlogs bounded. 

Theorem 2: If Rn(t) < °° for all links and for all t 

blocks, then control algorithm satisfies: 

limMi££E[t/,(T)] >[/*--§ 



limsup 1 £ £E[&(T 



limsup- ££ I E [2'JMK 



B + H(0-U* 
B + H{U-U* 



where B,E\,E2 are positive constants, {/* is the optimal aggre- 
gate utility, i.e., the solution of (|5]|8}, and U is the maximum 
possible instantaneous aggregate utility. 

The proof of Theorem [2] is given in Appendix [B] This 
theorem shows that it is possible to get arbitrarily close to the 
optimal utility by choosing H sufficiently large at the expense 
of proportionally increased average queue sizes. 

Discussion: Before we finalize the section, we would like to 
note that, in this problem we considered a given confidentiality 
encoding rate. The nature of the problem did not allow us to 
further maximize over R s and Z?f m , since we encode informa- 
tion over infinitely many blocks. Consequently, encoding needs 
to be done at the beginning of the entire session and data that 
is injected into the source queues are already confidentiality- 
encoded at the given rates. Hence, the confidentiality encoding 
rate cannot be changed dynamically during the session, as a 
response to the network state information observed. However, 
clearly the maximum accumulated utility is a function of the 
rate pair R s , R§ nv . One can ask the question, for which set 
of pairs, is the sum utility maximized? In Section IVIII we 
numerically evaluate the best rate selection and provide the 
associated performance as an upper bound for our scheme. 



VI. Confidential Multihop Network Control with 
a Finite Decoding Delay Constraint 

In this section, we consider the more practical case where 
there is a hard constraint on the number of blocks a given 
confidential message is encoded, i.e., N s < °°. The entire data 
including actual confidential bits and the randomization bits sent 
by source s is N S R S , where R s is defined as before. Note that 
since the number of blocks is finite, the message can be decoded 
at the destination with a finite delay. We assume that the length 
of the message N S R S is determined a priori based on the required 
end-to-end delay between the source and destination nodes. 

Secrecy outages can be completely avoided in the infinite- 
block scenario, since the network mechanisms can react to an 
undesirably large rate of accumulation at a given node at a time 
scale faster than the number of blocks across which the message 
is encoded. However, here, the reaction time may be too slow 
and the accumulated information at a node may already exceed 
the threshold for perfect secrecy. Consequently, we define the 
notion of secrecy outage, and impose a probabilistic constraint 
on the event that a message experiences a secrecy outage. In 
particular, we assume that, each source has the knowledge of the 
amount accumulated information at each node for its message, 
so it can identify the occurrence of the event of secrecy outage. 
On the other hand, unlike the infinite-block case, each of the 
messages encoded over finite number of blocks, k, can be 
encoded with a different confidential rate R k ' prn , determined 
based on the history of prior messages experiencing secrecy 
outages. Thus, a scheme can adaptively vary its confidential 
data rate to improve the performance. 

As in Section[V] our objective is to maximize aggregate long- 
term confidential utility of K source-destination pairs. Let x p be 
the average rate of confidential messages injected into the queue 
of the source node s, p" ut (R k ' pnv ) be the secrecy outage prob- 
ability of the message k of source node s when encoded with 
confidentiality rate R kprn , and y s be the maximum allowable 
portion of actual confidential bits experiencing secrecy outage. 
We consider the solution of the following optimization problem: 



R k s "" v ,.Mt),^i(t)ses 



s. t. X p < : 



^k,priv 



E R 



E 



jk,priv n OUt ( nk.priv 



p° M (RfP nv ) < y s E R k s 



nk.priv 



(0 



l{j\(U)eL} 



(12) 

(13) 
(14) 

>0, (15) 



where Constraint (foi l ensures that the long-term service rate is 
larger than the long-term arrival rate; Constraint (H4l ensures 
that the portion of the actual confidential bits experiencing 
secrecy outage is lower than and Constraint ( fTBI l is for the 
flow conservation at intermediate nodes. 

Once again, we employ a cross-layer dynamic control algo- 
rithm based on the stochastic network optimization framework 
to solve the optimization problem (ll2H15t . Clearly, in this 
problem, subsequent scheduling decisions are correlated with 




e packet queue partial packet queue 



n,r':""' 



Flow Control End-to-cnd Encoding 

Fig. 3. Queues in a source node used for Control Algorithm 2. 

each other, since the message is encoded over finite number of 
blocks, and thus, the optimality of dynamic control algorithms 
cannot be claimed. In the following, we develop a sub-optimal 
solution which performs scheduling by treating the messages 
as if they are infinite length messages, but at the same time 
chooses confidential encoding rates of individual messages by 
keeping account of actual confidential bits experiencing secrecy 
outages. 

The source node s has two separate queues operating at two 
different time scales as illustrated in Figj3] The first queue 
stores the confidential information that has been neither secrecy- 
encoded nor transmitted in previous blocks. Let Q p (t) denote 
the length of the confidential information queue at block t. In 
every block t , A P (t) confidential bits are admitted into the queue, 
where x P is the long term average rate of admitted confidential 
bits. Departures from this queue occur only when a new secrecy- 
encoded message is created. Let k s (t) be the number of secrecy- 
encoded messages created by block t. The k{t)t\\ confidential 
message is encoded with rate /?J*^' pnw , so the actual confidential 
bits in the message is N s R^ s ^'' pm whereas the complete length 
of the encoded message including the randomization bits is 
always N S R S for every secrecy-encoded message. Once a new 
confidential message is created, it is admitted to the second 
queue, which stores the bits of partially transmitted confidential 
message k s (t). Let P s (t) denote the size of this partial message 
queue at block t. The departures from this queue may occur at 
any block t depending on the outcome of the scheduling and 
routing decisions. A new secrecy-encoded message is admitted 
to the queue only when the partial message queue has emptied, 
i.e., P s (t) = 0. Hence, k s (t + 1) = k s (t) + 1, if P s (t) = 0. 

[efW-^ (f+1),, "" iV ] + +A?W ifP,(0 
k 2? (t) + A p (?) , otherwise 
jN s R s if P, (f)=0 

~~\[Ps(t)-I.i\( s ,i)eLHsi(t) 



0. 



otherwise 



At every intermediate node, there is a queue for each source s. 
Let Q'1(t) denote the size of the queue at intermediate node j 
for source s. 



<2?(/ + l) = 



Gf(0- I M&(0 

MUj)eL 



In order to determine the occurrence of secrecy outages, 
each source keeps track of accumulated information at each 
intermediate node. Let 25 (t) be the number of bits that must be 
accumulated by intermediate node i to decode the k(t )th confi- 
dential message of source s at block t . Note that a secrecy outage 
occurs in k(t )th message, if 2f(t) = for any intermediate node 
i. 



'(R s -R k / t+1) ' priv )N s ifP,(0 = 



m)-fm 



otherwise 



The constraint in (TBl i can be represented by a virtual queue, 
strong stability of which ensures that the constraint is also 
satisfied. The virtual queue keeps account of confidential infor- 
mation experiencing secrecy outages. Hence, there is an arrival 
of R k s ' p " v if kth message has undergone secrecy outage, and 
otherwise. 



^V^ + Rs' 1 '" 1 — YsRs' p " v ~^ if outage in Mi message 
|V* — YsRs 1 '" 1 J if no outage in Icth message 



Control Algorithm 2 (with Finite Encoding Block): 

For each source s: 
(1) End-to-end Encoding: At every generation of new con- 
fidential message, i.e., P s (t) = 0, let k s (t + 1) = k s {t) + 1, 
and determine end-to-end confidential encoding rate: 



r: 



k s (t+l),priv 



rgmax {fi? (t) - W (r/^(r) - ry,) } 



(2) Flow control: At each block t, for some H > 0, each 
source s injects A P (t) confidential bits into its queues 

A p s {t) = argmax {HU s {a) - Q p {t)a} . 

a 

(3) Scheduling: At each block, t , the scheduler chooses the 
set of links e if J^ e (t) = 1 and flow s on the link 6 e 
if J-j(t) = 1, where 



(s, e) = argmax 

seS.eeE 



J V ( *■ 

+ £ (fi?«-ej(oWo+ I zjw/;(o) 



where Q p (t) is multiplied by R s /Rs'' pnv in order to 
normalize it to the size of other queues in the network. 
Note that secrecy outage probability pf"(R) can only be calcu- 
lated if the scheduling decisions are known a priori. Since this 
is not the case, we use an estimate of secrecy outage probability 
as discussed in Section [VTI] 



VII. Numerical Results 

In our numerical experiments, we have considered the net- 
work depicted in Fig. [2] The channels between nodes are 
modeled as iid Rayleigh fading Gaussian channels. The noise 
normalized transmit power is taken as constant and identical to 
P = 1 in every block and for all nodes. Let the power gain 
of the channel between nodes i and j be hjj(t) at block t. 
Then, as N\ — > °°, Rjj(t) = log(l +Phjj(t)). The power gains 
of the channels are exponentially distributed, where the means 
of the link are as given in Table I. We consider a logarithmic 
utility function as U s (t) = K + log(A? (t ) jl where A p (t) is 
the confidential information admitted in block t. Note that, 
Af (f) = a s A s (t) for the control algorithm presented in Section 
[Vl We take K = 3 and H = 100 in all experiments. 

2 We utilize logarithmic utility function to provide proportional fairness. 
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Fig. 4. Performance evaluation of Control Algorithm 1 presented in Section [V] 
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Fig. 5. Performance evaluation of Control Algorithm 2 presented in Section [Vl] 
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In Fig. I4all4bl we investigate the performance of dynamic 
control algorithm presented in Section [V] For the network 
depicted in Fig. [2] we numerically obtain the optimal encoding 
rates a* for source s, resulting in maximum long-term total 
utility. Specifically, we obtain a\ = 0.435 and a| = 0.455 which 
corresponds to long-term average arrival rates x\ = 1.52 and 
x\ = 1.34, respectively. In the experiments, we fix (Xi = a| 
and vary the value of a\ to analyze the effect of a s on the 
confidential data rates and total utility. From Fig.|4a] we first no- 
tice that, long-term confidential data rate of source s\ increases 
with increasing 0£i, since source s\ sends more confidential 
information for each encoded message. It is interesting to note 
that long-term confidential data rate of source $2 increases 
initially with increasing (X\ . This is because for low a,\ values, in 
order to satisfy fairness between sources, source s\ admits more 
packets to its queue (e.g., X[ = 1.71, when a.\ = 0.1), and hence 
its queue size becomes higher. As a result, scheduling decisions 
are given according to emphasis of the stability of source s\'s 
queue, and thus the long-term arrival rate of source S2 is lower 
when a,\ is smaller (e.g., X2 = 1.18 when a,\ =0.1). However, 
when a,\ is high, the emphasis on the scheduling decisions is 
to satisfy the perfect secrecy, and source s\ should divide its 
transmission over the paths more equally at the expense of lower 
long-term arrival rates, x\ and x%. Fig.|4b]depicts the relationship 
between a\ and the long-term total utility. As expected, the 



total utility increases with increasing a\ until tt\ = tt\. As a,\ 
increases, there is a gain due to incorporating more confidential 
information into each encoded message of source s\. However, 
when a\ is high, long-term arrival rates of both sources decrease 
as indicated previously. Thus, when a,\ > aj*, the loss due to 
decrease in x\ and X2 dominates the gain due to increasing OL\. 

We next analyze the performance of control algorithm pre- 
sented in Section [VI] In numerical experiments, we estimate 
pT(R) with j^-j for < R < R s . In Fig. [52 the effect of 
increasing N S R S on the long-term confidential data rate, x$, 
is shown. We first take the confidentiality outage parameter, 
= 0.01, for all users. Fig. |5al depicts that when N S R S = 50 
the long-term confidential data rate has reduced by ap- 
proximately 50% compared to the optimal rates obtained for 
N s —> oo. However, the confidential data rate increases with 
increasing N S R S , and it gets close to the optimal confidential 
data rates, a*x*, when N S R S is large enough, i.e., N S R S = 5000. 
This is due to fact that when the transmission of a message 
takes smaller number of blocks, the portion of confidential bits 
inserted into the codeword, R k s ' pnv /R s , gets smaller to satisfy 
the confidentiality constraint. In addition, as the N S R S increases, 
the correlation between subsequent packets associated with a 
given secrecy-encoded message decreases, so iid approximation 
of control algorithm presented in Section |Vl] becomes more 
accurate. Finally, we investigate the effect of confidentiality 
outage parameter, y s = y for all sources, on xf . Fig. [5b] shows 
that when the confidentiality outage constraint is relaxed, i.e., 

3 If the average rate is 0.5 bits/channel use, the message is approximately 
transmitted in 100 blocks. 



7 is increased, the long-term confidential data rate increases. 
This result is expected, since sources can insert more confi- 
dential information into the encoded message, Rf pm , with a 
higher confidentiality outage parameter. Note that, the optimal 
confidential data rates is obtained for the case where there is no 
secrecy outages. Thus, after 7= 0.15, the long-term confidential 
data rates exceeds the optimal confidential data rates. 

VIII. Conclusion 

In this paper, we obtained achievable confidential data rate 
regions of wireless multihop networks, where the message 
is encoded over very long blocks of information. Then, we 
designed a dynamic control algorithm for a given encoding 
rate and we prove that our algorithm achieves utility arbitrarily 
close to the maximum achievable utility. Next, we described a 
sub-optimal algorithm for the system, where the messages are 
encoded over finite number of blocks. The simulation results 
verify the efficacy of the algorithms, and we show that the 
proposed algorithm asymptotically approaches the optimal rates. 

As a future direction, we will investigate distributed version 
of our dynamic control algorithms, where the scheduler decision 
is given according to local information. We will also consider 
the case, where transmitters only obtain imperfect channel state 
information of the links. 
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Appendix A 
Proof of TheoremQ] 

To begin, node s generates 2 A '' Sl ~' 5 ' random binary se- 
quences. Then, it assigns each random binary sequence to one 
of 2^ bins, so that each bin contains exactly 2 N ( Rs ~ Hs 
binary sequences. We call the sequences associated with a 
bin, the randomization sequences of that bin. Each bin of 
source s is one-to-one matched with a confidential message 

. .npriv 

w € { 1 , . . . , 2 s } randomly and this selection is revealed 
to the destination and all nodes before the communication 
starts. Then, the stochastic encoder of node s selects one 
of the randomization sequences associated with each bin at 
random, independently and uniformly over all randomization 
sequences associated with that bin. Whenever a message is 
selected by node s, this particular randomization message is 
used. This selection is not revealed to any of the nodes nor to 
the destination. 

Let us denote the randomization sequence of message W s 
as W[ for source s, and the transmitted vector of channel 
symbols as X s = [Xs(l), . . . ,X V (A^)], where X s (t) represents the 
transmitted vector of Ni symbols in block t . The received signal 
at intermediate relay node j is Y? = [1^(1), . . . ,Yj(N s )], where 
Yj(t) represents the received vector of symbols at node j in 
block t . Also, the received signal at overhearing neighbor node 
2' is Z? = [Zf (1) , . . . , Z\ (N s )] ■ Assume that there are n overhearing 
neighbor nodes of source s. The equivocation analysis follows 
directly for a given scheduling/routing decision. For any given 
intermediate node j, conditional entropy is given as 



H(W s \Y])=I{W s -,Zl,...,Z s n \Y?)+H(W s \Zl 



>I(Ws;Z{,...,Z^\Yj) 



-I{W s ,W s r ;Z s u . 
-I(W s ,W s r ;Zl,. 



■K\Y] 



I K\Y°,W S ) 

Z^)-H(w;\Y],W s )+H(W s r \Z{,. 



,z£,w; 



>I(Ws,W s r ;Z s u ...,Z s n \Y s )-H(W s r \Y?,W s ) 
>I(W s ,W s r -Zl...X\Yj)-NEi 

= I(X s ,Z-l,...,Z^)-I(X s ,Z-l,...,Zl\Y J s ,W s ,W:')-Ne l 
>I(X s ;Z s l ,...,Z s n \Yj)-N{e 1 +e 2 ) 
= I(X s ,Z\,...,Z s n )-I(X s ;Y-])-N( £l +£ 2 ) 

> £ [l(X s (t)-Z\(t),...X(t))-nUty,Y°(t))} -N( £l + £ 2 ) (23) 
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(24) 



with probability 1, for any positive (£1,62, £3) triplet and 
arbitrarily small 8, as Ni,N 2 —> °°. Here, (fTTI i is by the 
chain rule, ( fl9l l follows from the application of Fano's equal- 
ity, d20T ) follows from the chain rule and that (W S ,W[) O 



X s <H> (Zj, ....,Z*,yj ) forms a Markov chain, (|2TT > holds since 
I(X s ,Z s v ...,Z s n \Y?,W s ,W*) < Ne 2 as the transmitted symbols 
sequence^ is determined w.p.l given (Yj- ,W S ,W[), ( f22b follows 
from the chain rule, (l23l l holds since the fading processes are 
iid, and finally (l24l i follows from strong law of large numbers. 

■ 

Appendix B 
Proof of Theorem[2] 

The optimality of the algorithm can be shown by applying 
the Lyapunov optimization theorem JT8). We consider queue 
backlog vectors for commodity s as Q(f) = (Q\ (t ), . . . ,Qk (t )), 
Q s (t) = (Q\ (t), ■ ■ ■ ,Q s „(t)), and Z'(t) = (Z*(t), . . . ,Z° n (t)), where 
n is the number of intermediate relay nodes in the network. 
Let L(Q,Q S ,Z S ) be a quadratic Lyapunov function of real and 
virtual queue backlogs for commodity s defined as: 

L(Q( t ),Q s (t),z s (t)) = i £&(»)+£ [m)f+{mf] ■ 

L ses 1=1 

Also consider the one-step expected Lyapunov drift, A(f) for 
the Lyapunov function as: 

A(0=E[L(Q(t + l),Q s (t + l),Z s (t + l)) 

- L(Q(t),Q s (t),Z s (t))|Q(t),Q s (t),Z s (t)] . (25) 

The following lemma provides an upper bound on A(f). 
Lemma 1: 



a(o<b-£e 



Q s {t) \ A s {t) - £ ftiW 

{i\(s,i)eL} 



Qs(f) 



E E E fif(0 ( E m£W- I 

L \j\(i,ML j\(j.i)eL 

-I I E[z?(0((i-<%M,(*)+y?(0) I zf(0] ; 

seSids.D 



(26) 



where > is a constant. 

Proof: Since the maximum transmission power is finite, in 
any interference-limited system transmission rates are bounded. 
Let jUj s j max be the maximum rate over link for commodity 
s, which depends on the channel states. Also assume that the 
arrival rate is bounded, i.e., A™ ax is the maximum number of 
bits that may arrive in a block for each source. By simple 
algebraic manipulation one can obtain a bound for the difference 
(Qs(t + l)) 2 — (Qs(t)) 2 and also for other queues to obtain the 
result in 



Applying the above lemma, we can complete our proof. In 
particular, Lyapunov Optimization Theorem [TT~8l suggests that 
a good control strategy is the one that minimizes the following: 



A u (t) =A(t)-HE 



E(^(0)l(Q(t),Q s (t),z s (t)) 



(27) 



By using d26l ) in the lemma, we obtain an upper bound for (l27l i. 
as follows: 



A u (k) <fl-£E 



QAt)\A s (t)- £ Msi (0 
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seSit£S,D 



m)\ I Mf,W- £ MjrC' 

MUi)eL j\(j,i)eL 



-E E E[zfW((i- aj )A,(0+/«W) I z; s M 



-WE 



Et/.((l-« s )A s (f)) 



(28) 



It is easy to observe that our proposed dynamic network control 
algorithm minimizes the right hand side of (l28l l by rearranging 
the terms in (l28l i. 

If the arrival rates and the given encoding rate, a s , are in 
the feasible region, it has been shown in lPT8l that there must 
exist a stationary scheduling and rate control policy that chooses 
the users and their transmission rates independent of queue 
backlogs and only with respect to the channel statistics. In 
particular, the optimal stationary policy can be found as the 
solution of a deterministic policy if the channel statistics are 
known a priori. 

Let U* be the optimal value of the objective function of 
the problem ([5]H]l obtained by the aforementioned stationary 
policy. Also let X s * be optimal traffic arrival rates found as the 
solution of the same problem. In particular, the optimal input 
rate X * could in principle be achieved by the simple backlog- 
independent admission control algorithm of new arrival A s (t) for 
a given commodity s in block t independently with probability 

Cv = K* /X s . 

Also, since X s * is in the achievable rate region, i.e., arrival 
rates are strictly interior of the rate region, there must exist a 
stationary scheduling and rate allocation policy that is indepen- 
dent of queue backlogs and satisfies the followings: 



E 



E 



E WrfWIQ 

L{i\(s,i)eL} 

E rij(f)\v 
ui(y)6i 



> V 



> E 



E ^WIQ S 

U1(;,i)ei 



E{f°(t))\Z s }<(l-a s )X s * + e 3 . 



(29) 

(30) 
(31) 



Clearly, any stationary policy should satisfy (128V Recall that our 
proposed policy minimizes the right hand side (RHS) of ( |28| >. 
and hence, any other stationary policy (including the optimal 
policy) has a higher RHS value than the one attained by our 
policy. In particular, the stationary policy that satisfies (|29| i- 
(l3Tl l. and implements aforementioned probabilistic admission 
control can be used to obtain an upper bound for the RHS of 
our proposed policy. Inserting (|29}-(|3H into (|28K we obtain the 
following upper bound for our policy: 

av/.s /,• E f -' :: '->." E E «& E [G?(01 

seS seSi<jtS,D 

-EE e&E[Zf(0]-ZW*. 

seS ifiS, D 

This is exactly in the form of Lyapunov Optimization Theorem given 
in II 1 81 . and hence, we can obtain bounds on the performance of the 
proposed policy and the sizes of queue backlogs as given in Theorem 
■ 



